Federated authentication through SAML

Authentication policy

The most common method of authenticating authorized users of ScienceDirect and Scopus is by Internet Protocol (IP) address authentication from computers within your organization's registered IP address range(s). This is the so-called "one-factor authentication," and automatically limits access to ScienceDirect and Scopus to the premises of your organization. To access your organization's subscribed content from outside the premises, please see the remote access options described on the ScienceDirect Access Methods page and on the Scopus Access page.

The Elsevier Agreement requires that, regardless of authentication mechanism, two-factor authentication be used by off-site users. This means that remote users need at least two variables to authenticate. Examples of two-factor authentication include a username and a password, a staff ID and a PIN, or an email address and software token. Web proxy servers that require only a staff ID for logging in without an additional password are not allowed for authenticating ScienceDirect and Scopus users.

If we notice that two-factor authentication is not deployed for off-site access to ScienceDirect or Scopus, we will contact you to discuss your situation and offer advice about alternative authentication methods.

How to construct Shibboleth authentication links to ScienceDirect and Scopus

Also applies to OpenAthens

Introduction

Typically, a Shibboleth session is initiated by a service provider (SP) who issues a Shibboleth Authentication Request to the user's Identity Provider (IdP), either directly or via the federation's WAYF ("Where Are You From") page. On ScienceDirect and Scopus, this is implemented via the "Institution Login" link, then via ScienceDirect's or Scopus' local WAYF implementation where the user selects a federation and institution before being redirected to their chosen institution's login screen. However, it is also possible to let users log into ScienceDirect and Scopus through an organization's IdP directly from a library portal, OPAC or any other website without users having to go to ScienceDirect or Scopus first. This is done by building Authentication Request URLs yourself. This action removes a few steps in the login process for users, and makes it far more intuitive to get to ScienceDirect and Scopus under federated authentication using Shibboleth.

Implementation

To implement direct Shibboleth login functionality from your library or organization's website, you need to build Shibboleth Authentication Request URLs that direct the user to the login page of your IdP. These URLs identify ScienceDirect as the target service provider and include the specific ScienceDirect target URL where you would like the user to land after authentication. These links will force any user clicking on them to first enter their credentials before going into ScienceDirect; or if they are already logged into your authentication service, they will be seamlessly redirected to ScienceDirect.

For organizations that use OpenAthens, the IdP is run and operated by Eduserv. This means that in the URL syntax, the entity ID to use is the "identityID" of the IdP that Eduserv operates for each separate NHS region or organization.

For information about the OpenAthens IdP to which your organization is mapped, please contact Eduserv.

In principle, all ScienceDirect and Scopus URLs can be used as target URLs. However it is safest to use ScienceDirect's and Scopus' published set of persistent "Short Cut" URLs to link to specific pages in the site as these are guaranteed not to change. For more information about persistent ScienceDirect URLs, go here.

HTTPS upgrade

As part of a global effort to improve security and privacy for customers across our products, Elsevier is transitioning the ScienceDirect web environment to Hyper Text Transfer Protocol Secure (HTTPS). The transition to HTTPS will complete in 2018.

Although Elsevier will redirect your old HTTP URLs for years to come, we recommend that you update any existing HTTP URLs to HTTPS for security reasons. Furthermore, all new URLs must be built for HTTPs.

Contact

For more information about any of the access methods to ScienceDirect and Scopus described above or for help with any access issues, please contact Elsevier Customer Service.